CVE-2026-33294 in AVideo
Summary
by MITRE • 03/22/2026
WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed. An authenticated attacker can force the server to make HTTP requests to internal network resources and retrieve the responses by viewing the saved video thumbnail. Version 26.0 fixes the issue.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability CVE-2026-33294 affects WWBN AVideo, an open source video platform, specifically targeting the BulkEmbed plugin's save endpoint in versions prior to 26.0. This issue represents a critical server-side request forgery vulnerability that exploits a missing security check in the plugin's URL handling mechanism. The vulnerability exists in the file plugin/BulkEmbed/save.json.php where user-supplied thumbnail URLs are processed through the url_get_contents() function without proper validation. Unlike the other six URL-fetching endpoints within AVideo that were properly hardened with isSSRFSafeURL() checks, this particular code path was overlooked during security hardening efforts, creating an exploitable gap in the platform's defenses.
The technical flaw manifests when an authenticated attacker leverages the BulkEmbed plugin's functionality to save video thumbnails. The system accepts user-provided URLs without validating whether they point to internal network resources or are otherwise unsafe for server-side access. When the server processes these URLs through url_get_contents(), it makes HTTP requests to the specified endpoints, potentially accessing internal systems that should remain protected from external access. This vulnerability allows attackers to bypass network segmentation controls and retrieve information from internal services that would normally be inaccessible from the public internet. The impact is particularly severe because the vulnerability is triggered during normal thumbnail saving operations, making it difficult to detect and potentially allowing for automated exploitation.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers to perform reconnaissance of internal network infrastructure and potentially escalate their access. An attacker could use this vulnerability to probe internal services, identify running applications, and gather sensitive information from systems that should only be accessible through internal networks. The vulnerability affects any authenticated user with access to the BulkEmbed plugin, which means that even users with limited privileges could potentially exploit this issue to gain insights into the internal network topology and service configurations. This represents a significant risk for organizations that rely on AVideo for content management, as it could expose internal infrastructure to unauthorized access and reconnaissance activities.
The fix implemented in version 26.0 addresses this vulnerability by applying the same SSRF protection mechanisms that were already implemented for the other six URL-fetching endpoints in AVideo. This remediation involves adding proper URL validation using the isSSRFSafeURL() function to ensure that all external URL requests are properly checked against a whitelist of safe domains and network ranges. Organizations should immediately upgrade to version 26.0 or later to address this vulnerability, as the issue has been classified under CWE-918 as Server-Side Request Forgery, which aligns with ATT&CK technique T1104 for Command and Control communication. The vulnerability also relates to ATT&CK tactic TA0011 (Command and Control) and demonstrates how missing security controls in one component can create significant attack vectors that bypass traditional network security measures.